Edging towards viable anti-spam legislation

Over the last few years, South African legislation has slowly started catching
up with electronic communications, and I had high hopes that the Protection of
Personal Information Bill (POPI) would provide the final piece of the puzzle to
both protect consumers and allow businesses to continue to market directly to
people in an ethical way.

Unfortunately, recent amendments to the Bill, thanks to lobbying by direct
marketers have watered it down substantially, especially when it comes to email
and SMS marketing. The current version of the POPI Bill is still better than
the existing law when it comes to protecting personal information, but I have
some serious concerns about the practicality of the latest changes and how they
will impact on the effectiveness of the bill when it is passed into law.

Opt-in vs opt-out

Initially, my hope in the POPI Bill was due to the fact that for the first time
it included the requirement that people opt-in to direct marketing, rather than
opt-out. This is in line with the regulations of industry bodies such as the
Wireless Application Service Providers’ Association (WASPA) and the Internet
Service Providers’ Association (ISPA). In contrast, existing legislation in the
form of the Electronic Communications and Transactions Act (ECT) and the
Consumer Protection Act (CPA) works on an opt-out basis. The Direct Marketing
Association of South Africa (DMASA) regulations are also based on the consumer
needing to opt-out of unsolicited direct marketing.

The problem with opting out

There are a couple of problems with using opt-out principles to protect
consumers from unwanted commercial messages, known as spam.

Firstly, in the case of third-party databases that are bought and sold, it is
almost impossible for a member of the public to remove their name from the
master list once and for all. They might remove their name from company A’s
version of the list, but will continue to receive spam from companies B, C, D
and whoever else has bought the list. And there could be hundreds of lists
circulating at any one point in time.

The DMASA and CPA have tried to tackle this via a Do Not Contact register
(DNC). In the case of the DMASA, this register only applies to its members, and
is further flawed by the DMASA emailing this list of people to its members.
This is clearly a massive security risk and recent reports in the media
indicated that this list of contact details, identity numbers and addresses has
already been leaked.

Furthermore, a Do Not Contact register does nothing to prevent the buying and
selling of personal data. Once this information lands in the wrong hands, such
as an identity thief, it could be used for fraudulent purposes. The cost of
opting out The second reason why an opt-in system is preferable is that when it
comes to SMS, there is a monetary cost attached to responding to the
communication in order to opt-out in the form of the reply SMS. Looking at
direct marketing from the point of view of protection of property, as per our
Constitution, it is clearly unethical to require someone to spend money to
remove themselves from a database they did not ask to be added to.

The dilution of POPI

POPI proposes that individuals who are not a customer of a company need to
explicitly opt- in to direct marketing from a company. It should be easy to
opt-out, and the opt-out methods should be made clear at the time of signing
up, and with every subsequent communication. In this case, it is not
unreasonable for customers to pick up the once-off cost of unsubscribing with a
standard-rate SMS.

Unfortunately, however, a recent change to the bill has weakened this opt-in
approach. Possibly as a result of lobbying by direct marketers an additional
clause was added that allows companies to approach a consumer via an
unsolicited email or SMS, and ask them if they would like to receive future
marketing communications, thus building an opted-in database.

This is problematic for a number of reasons. Firstly, it begs the question
where the company got the contact details in the first place. Secondly, it
would be very easy to include a marketing message in the initial communication.
Finally, what is to stop a company changing its identity and simply sending the
message again in another guise?

Unfortunately, this once-off permission system could very quickly become
meaningless. It opens the door to the buying and selling of contact details. If
the customer gives consent in the first place, then the previous wording is
enough to both protect consumers and allow business to continue with legitimate
direct marketing to non-customers.

Companies should rather focus their attention on building legitimate opted-in
databases by leveraging other channels, such as above-the-line advertising,
promotions, loyalty campaigns and so on. Companies should include a reply path
on any marketing material whether by SMS, email, social network or even snail
mail. This explicit permission would also mean that they would not have to
query the DNC registry, as per the CPA, on every communication.

Time and time again it has been proven that an opted-in database gets better
results. Whereas an opt-out system becomes unworkable after time and eventually
destroys the effectiveness of a communications channel. It is to the benefit of
everyone to follow opt-in principles.